The situation I face is a family member whose position is the following:

I don't want to update something that works, updates may break something. Look at our old computer that runs Windows 98, I've been using it every day for everything for 15 years now and it works without any problem, even though there's absolutely no antivirus or anything.

Using the same reasoning, he strongly resisted installing any updates or service packs on his other computer running Windows XP, and now that XP is dead, I cannot even imagine how he will react to the choice of either

buying several Windows 7-s for his computers for serious money, or

switching to Linux and basically relearning how to use computers from scratch.

What facts can I use to convey to them that it's bad if the computer is infected with malware, even if they don't notice anything wrong?

Who cares? Tell them what you think, let them decide, and when they need help cleaning up, that's not your problem, and if it is, then say "See!? I told you so! Now about my bill for cleaning up your mess...". VTC as off-topic (not a computer problem).
–
Ƭᴇcʜιᴇ007Apr 9 '14 at 20:13

14

Go paint "I'm a Nazi Child Molester!" on the side of his car, and then ask him to drive it around town and to work. "Who cares, the car still works, right?" ;)
–
Ƭᴇcʜιᴇ007Apr 9 '14 at 20:35

You won't convince them with facts. They're clearly immune. You will convince them by an absolute uncompromising refusal to have anything to do with those computers in the state they're in.
–
Michael HamptonApr 10 '14 at 3:25

9 Answers
9

The best and least refutable argument is, that if you have nothing else to protect, you have your reputation.

If your account starts sending virus spam, you have to answer to everyone in your address book.

If the FBI starts asking why your PC engaged in a coordinated DDOS attack on a bank's website (because you got enrolled in the Zeus botnet), you have to let them sift through all your personal artefacts to (hopefully) prove you are not a cyber-criminal suitable for imprisonment for 30+ years. or worse yet, someone used your computer as a proxy for downloading child pornography, stealing and selling credit card data, or selling drugs on the silk road.

everyone has their reputation (and potentially their freedom) to protect. emphasizing that is one of the more effective ways to teach people (patching) religion. Just an investigation on some of these topics is enough to show up in background checks, which can follow you the rest of your life.

This is unrealistic. The suggestion to hand over evidence to the police in an attempt to convince them of your innocence is far more likely to put you in jail than running an outdated operating system (and you should do neither).
–
Marcks ThomasApr 9 '14 at 22:20

10

perhaps "asking" was a poor word choice. they 'ask' with warrants, guns, and large people who haven't learned the definition of the words 'civil liberties'. You don't 'let' then sift through your artifacts so much as they just don't lift their boot off your neck until their colleagues have removed all electronics from your home.
–
Frank ThomasApr 9 '14 at 22:56

6

Then perhaps 'unrealistic' was a poor choice of words on my part, because indeed what you describe can happen and has happened, but something so easily dismissed as unlikely, won't be a convincing argument. In determining whether to get a newer OS, no one writes 'avoid possible jail time' and 'may get hit by bus on way to computer store' on a pros and cons list.
–
Marcks ThomasApr 10 '14 at 0:33

2

Heh, all you have to be is single, a man and over 40 for child porn distribution charges to stick. Somebody hacks your system, uses it to distribute some pretty awful stuff and you are too tech ignorant to defend yourself when SWAT hits the door with the requisite warrant. Better have a really good lawyer on retainer.
–
Fiasco LabsApr 10 '14 at 4:25

I don't want to update something that works, updates may break
something. Look at our old computer that runs Windows 98, I've been
using it every day for everything for 15 years now and it works
without any problem, even though there's absolutely no antivirus or
anything.

Clearly it works for him. His argument is good.

If somebody is not going to dodgy websites, not installing software, let's say they just use Word, and Outlook Express and they don't open attachments.

I have seen middle aged non-computer users in the family that use a computer minimally, and some elderly in the family, just don't get malware on their computer. I suppose they could misspell a URL but they manage with the one or two URLs they visit, or the URLs come up in the address bar. Or they have a button on the bookmark bar that sends them to the URL.

If somebody can survive in this day and age with Windows 98 and not get anything in 15 years, they are doing better than others with lots of "protection".

I may be flamed or downvoted for saying this but i'm inclined to agree with him. Not that it works for anybody but that it works for him, with his style of computer use.

One way you could show a flaw in his argument, is by taking down his computer yourself, remotely, without installing any special software or malware on there (and without social engineering that abuses his trust in you), and it should be realistic i.e. something that really could happen that you see happening. Good luck trying to do that!

You should also educate him as to the risks of our times, like he may get email purporting to be from people he knows, telling him they've lost all their money. And he shouldn't fall for that.

I'm sure many people know some cautious computer users in their 60s and even those in their 80s/90s who do not "browse" the web, and are just not getting malware on their computer! Like somebody that only uses the television to watch the BBC News, somebody might only use their web browser to go to the BBC News website. There are people like that believe it or not, and it'd take a miracle for them to get malware on their computer!

Added-
David has mentioned there were days when IE and OE ran Active X without asking(though it could be configured to disable active X). And one could use Chrome and web mail. The former being a fast browser anyway, and the latter being very portable.

I remember to the early days of the Windows XP pandemic when viruses spread through port 135 / RPC, and computers got infected the moment you attached them to the internet, so you could update them.
–
DavidApr 9 '14 at 22:50

@David A NAT Router should stop access to whatever port. And the Windows XP Firewall should be stopping that too. One can always go to grc.com or whatever online port scanning site and make sure they don't have ports showing up. Could be an early XP had a bad firewall setting, particularly bad if on dial up so directly exposed. But behind a NAT Router and XP Firewall properly set, that wouldn't happen. Very trivial to check no ports are exposed.
–
barlopApr 9 '14 at 23:00

1

This was in the pre WinXP sp1/sp2 days, when everyone connected their computer direct to their DSL/Cable modems. Before when everyone had NAT routers. My point being that there will always be some sort of exploit, and the older the software the more well known those exploits are.
–
DavidApr 9 '14 at 23:07

@David yes but my point was that nowadays people have NAT Routers not dialup. And even if his XP was an early release, he could still have the firewall configured properly. And I am saying he should make sure no ports are exposed onto the Internet, that rules out a ton of exploits. The fact that you had to pick one that was only relevant on a badly configured firewall and a computer on dial up with ports exposed, and does not require an anti virus or installing updates to defend against. Just the basics of a NAT Router.. and a sanely configured XP Firewall
–
barlopApr 9 '14 at 23:21

1

But Chrome is a patch or a fix. It no longer is part of the default software. On our firewalls at work, we see loads of random attacks, port scans, on our firewalls that are on otherwise unpublished ip addresses. These attacks originate from all over the world. There are folks on the internet looking to get access through published exploits all the time. I see this everyday on the logs. Not installing patches is just putting your head in the sand.
–
DavidApr 9 '14 at 23:39

If a human catches a biological virus and doesn't notice, then they'll probably end up spreading it everywhere and hurting other people. So maybe you shouldn't go around licking toilets (using XP), even if it doesn't bother you specifically.

Even if he doesn't notice his computer has become part of a botnet, he'll still be sending spam everywhere.

Just because the user has not noticed any inclement behaviour yet does not mean they can expect that trend to continue in the future. Especially in a digital environment, where we have seen many times that security flaws are manipulated to extract useful information.

What's to stop your user from visiting a new website tomorrow that installs a keylogger on their machine? And soon after, noticing some unexpected purchases on their credit card. Not only is it possible, it's got significant enough probability to be a threat worth taking preemptive action over.

The important thing to realize is that anti-virus and other security is to stop your system from getting infected in the first place, not to fix problems when you notice them.

Like the old saying goes, an ounce of prevention is worth a pound of cure.

The answer is two fold:
1 It is the responsible thing to do - ie part of treating fellow life with respect (those you know like your friends and family and those you don't know like the guy down the street, in the next state, or the country over there).

2 To protect whatever you may have that you expose to your computer (money, personal information, photos etc).

Seems like this user needs the wiifm (what's in it for me?) angle. Is the computer used for storing anything of value (pictures, documents, anything he/she wants)? Is the use of the computer itself valuable (e.g vs the time/effort to reinstall and start fresh)?

Then he absolutely wants to stay up to date and protected and here's why:

Malware generally invites other malware.
It's not only the guest that never leaves, but the longer he's there, the more friends he invites.

Ever notice how a malware infected PC generally has more than one "thing" infecting it? That's because as soon as the one things gets in it usually 'phones home' and gets more malwares. Typically there will be one component that is [basically] a downloader and that piece gets it's instructions from a server which tells it what nasties to bring in. The operator of that server can change that list at any time so just cuz "it's not bothering" him today, doesn't mean that won't change tomorrow.

Still, what's the worst that can happen, right? So let's forget about spamming and DDoS botnets for a moment and look at something like Cryptolocker. There's a nice bit of digital "F**k You"
Would your user be happy having his entire hard drive and any attached drive (external or mapped network) be held for ransom? Cryptolockers gotten so 'famous' there's now not only variants but I believe copycats too. So will he be satisfied to just walk away from it all (not to mention investing hours to at least format everything and reinstall XP (if he can even find the disc) from scratch?)
Or will he gamble on paying some douche in a far away country, via bitcoin or wiretransfer or something, some $300-$900 on the chance he'll get his data back?

dunno about your user but lazy as I am, that's still enough to get me off my ass...
And if he needs any proof, there's a few cool youtube vids showing cryptolocker in action.

I really don't know, why people are so scared of "XP's death".
It's not dead - it's no longer supported, that's all.

I'd say it is reasonable to stay with it, even without any protection software, if you're a reasonable user. And like others said, being reasonable user doesn't mean you have to know everything about computers, systems, or be up-to-date with virus threats and so on.

There are lots of people using Windows XP, big companies all over the world with thousands of PC's not capable of runnnig Win7. Do you really think they will all buy new PC's? I doubt, I really do.

And to answer your question, after all, I'll stick to the "carrier" sort of thing, your computer being distributor of malware. But if that person isn't filled with sympathy and/or compassion, will he/she really care?

His argument is based on laziness and desire to maintain the status quo. So explain why malware threatens the status quo:

Malware uses the computer more than it otherwise would, which not only hits him in the wallet via electric bill, but also wears components faster than they otherwise would, leading to a computer dying before its time. Not only is buying a new computer an expense, but rescuing data from the failed one is a lot more work than installing patches.

Malware may consume all his storage with illicit content. Quite apart from someone discovering it there (generally after tracing transmission), when free space hits zero, he's in for a world of hurt. (Programs not starting, possibly even Windows not booting) Cleaning up a disk full of warez is a lot more effort than installing patches.